Hi, On Thu, Jun 10, 2021 at 05:30:11PM +0200, Arne Schwabe wrote: > For the second reply of a OpenVPN we have no completed the three > way handshake yet and the client IP address is still untrusted. > When retransmitting the reset packet multiple times when timing > out for an ACK response to it, we send the packet multiple > times to an untrusted IP which is nowadys considered bad in a > protocol.
For the record: we have decided at the hackathon to drop this patch
for the time being, because we (Arne, Steffan and Max) came up with
a better approach. Instead of "keep state after the first packet"
we want to move towards a syn-cookie like approach where the packet
is answered, and forgotten (= no re-sent because we do not even know
there was a packet). Only the 3rd packet in the handshake causes
state on the server - and that confirms that the client IP+Port is
not spoofed.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
